summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-11-01 12:05:53 -0400
committerRob Crittenden <rcritten@redhat.com>2010-11-19 13:47:09 -0500
commit53d15537553e20a732d041ebddfd4ba69d5bb8dd (patch)
tree34fa2e91f2e34a231e1952fce3086b352f27a680 /ipalib/plugins
parent5c4dc1c2e95749559dac9c625859f4e1ced5a6e1 (diff)
downloadfreeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.gz
freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.tar.xz
freeipa-53d15537553e20a732d041ebddfd4ba69d5bb8dd.zip
Give a detached group a full set of group objectclasses.
The UUID plugin handles adding ipaUniqueId for us as well as the access control for it. ticket 250
Diffstat (limited to 'ipalib/plugins')
-rw-r--r--ipalib/plugins/baseldap.py4
-rw-r--r--ipalib/plugins/group.py29
2 files changed, 25 insertions, 8 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index d742a791e..61fedd98a 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -234,6 +234,10 @@ class LDAPObject(Object):
if parent_obj.primary_key:
yield parent_obj.primary_key.clone(query=True)
+ def has_objectclass(self, classes, objectclass):
+ oc = map(lambda x:x.lower(),classes)
+ return objectclass.lower() in oc
+
def convert_attribute_members(self, entry_attrs, *keys, **options):
if options.get('raw', False):
return
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 1994c010f..5ecc72ae8 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -291,23 +291,28 @@ class group_detach(LDAPRemoveMember):
group_dn = self.obj.get_dn(*keys, **options)
user_dn = self.api.Object['user'].get_dn(*keys)
+ (user_dn, user_attrs) = ldap.get_entry(user_dn)
+ is_managed = self.obj.has_objectclass(user_attrs['objectclass'], 'mepmanagedentry')
if (not ldap.can_write(user_dn, "objectclass") or
- not ldap.can_write(user_dn, "mepManagedEntry")):
+ not (ldap.can_write(user_dn, "mepManagedEntry")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify user entries'))
+ (group_dn, group_attrs) = ldap.get_entry(group_dn)
+ is_managed = self.obj.has_objectclass(group_attrs['objectclass'], 'mepmanagedby')
if (not ldap.can_write(group_dn, "objectclass") or
- not ldap.can_write(group_dn, "mepManagedBy")):
+ not (ldap.can_write(group_dn, "mepManagedBy")) and is_managed):
raise errors.ACIError(info=_('not allowed to modify group entries'))
- (user_dn, user_attrs) = ldap.get_entry(user_dn)
objectclasses = user_attrs['objectclass']
try:
i = objectclasses.index('mepOriginEntry')
+ del objectclasses[i]
+ update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
+ ldap.update_entry(user_dn, update_attrs)
except ValueError:
- raise NotFound(reason=_('Not a managed group'))
- del objectclasses[i]
- update_attrs = {'objectclass': objectclasses, 'mepManagedEntry': None}
- ldap.update_entry(user_dn, update_attrs)
+ # Somehow the user isn't managed, let it pass for now. We'll
+ # let the group throw "Not managed".
+ pass
(group_dn, group_attrs) = ldap.get_entry(group_dn)
objectclasses = group_attrs['objectclass']
@@ -315,8 +320,16 @@ class group_detach(LDAPRemoveMember):
i = objectclasses.index('mepManagedEntry')
except ValueError:
# this should never happen
- raise NotFound(reason=_('Not a managed group'))
+ raise errors.NotFound(reason=_('Not a managed group'))
del objectclasses[i]
+
+ # Make sure the resulting group has the default group objectclasses
+ config = ldap.get_ipa_config()[1]
+ def_objectclass = config.get(
+ self.obj.object_class_config, objectclasses
+ )
+ objectclasses = list(set(def_objectclass + objectclasses))
+
update_attrs = {'objectclass': objectclasses, 'mepManagedBy': None}
ldap.update_entry(group_dn, update_attrs)